From 8d60fb734cfa0e9ee5088e7acaa595294f17e9fc Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Wed, 19 Feb 2025 11:05:32 -0500
Subject: [PATCH] Add `assessments` to OCSF (#1343)

See [this
thread](https://opencybersecu-lz97379.slack.com/archives/C05HLGHMKU2/p1738944570398689?thread_ts=1738942607.568969&cid=C05HLGHMKU2)
in the Slack for more information on the backstory.

Adds an `assessment` object that serves as a generalized Object that can
contain normalized assessment/evaluation data of specific configurations
or signals in a generalized fashion. For instance, this can be used to
capture details for CrowdStrike Zero Trust Assessments of Hosts, to
generalize assessment data of CSPM/DSPM platforms such as the various
ways to express if logging, encryption, or private access is enabled,
and to expand the `compliance` object for specific technical control
assessments.

It is important to separate these from the `Findings` Category as not
every assessment results in a first party alert or detection triggering,
for instance the CrowdStrike Zero Trust Assessments are passively
conducted on certain hosts with Identity Protection and don't
necessarily represent a negative finding.

This also allows for more abstracted asset inventories built upon
different sources where generic assessment data and metadata about the
asset/entity itself can be centralized without needing to rely on
multiple different Event Classes.

---------

Signed-off-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
---
 CHANGELOG.md                                  | 22 +++++++++++++
 dictionary.json                               | 16 +++++++++
 .../cloud_resources_inventory_info.json       |  2 +-
 events/discovery/config_state.json            |  8 ++++-
 objects/assessment.json                       | 33 +++++++++++++++++++
 objects/compliance.json                       |  5 +++
 objects/policy.json                           |  4 +++
 7 files changed, 88 insertions(+), 2 deletions(-)
 create mode 100644 objects/assessment.json

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 98f69d1d3..753f8d7da 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -43,10 +43,22 @@ Thankyou! -->
 
 ### Added
 <<<<<<< HEAD
+<<<<<<< HEAD
 * #### Event Classes
     1. Added `OSINT Inventory Info` event class to the Discovery category. #1154
+=======
+* #### Dictionary Attributes
+  1. Added `boot_uid` as a `string_t`. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Added `raw_data_size` as a `long_t`. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
+  1. Added `assessments` as an array of `assessment` objects. #1343
+  1. Added `meets_criteria` as a `boolean_t`. #1343
+* #### Objects
+  1. Added `assessment` object to capture evaluations/assessments of configurations/signals. #1343
+>>>>>>> fa6af6aa (Add `assessments` to OCSF (#1343))
 
 ### Improved
+* #### Event Classes
+  1. Added `assessments` to `config_state`. #1343
 * #### Objects
     1. Added `phone_number` to `user` and `ldap_person` objects. #1155
     2. Added `has_mfa` to `user` object. #1155
@@ -73,7 +85,13 @@ Thankyou! -->
   1. Added `raw_data_size` to `base_event` object. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
 * #### Objects
   1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Added `meets_criteria` and `policy` to `assessment` object. #1343
+  1. Added `assessments` to `compliance` object. #1343
+  1. Added `data` to `policy` object. #1343
+
+### Misc
   1. Relaxed constraint to provide `email_addr`, `phone_number`, or `security_questions` on `auth_factor`. [#1339](https://github.com/ocsf/ocsf-schema/pull/1339)
+<<<<<<< HEAD
   1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
   1. Added `meets_criteria` and `policy` to `assessment` object. #1343
   1. Added `assessments` to `compliance` object. #1343
@@ -91,6 +109,10 @@ Thankyou! -->
 4. Added `has_mfa` boolean_t to Dictionary. #1155
 5. Deprecate `project_uid`. #1166
 6. Added several new enums to `account.type_id`. #1166
+=======
+  1. Added `raw_data_size` to `base_event` object. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
+  1. Updated description of `config_state` to reflect the addition of the `assessments` object. #1343
+>>>>>>> fa6af6aa (Add `assessments` to OCSF (#1343))
 
 ## [v1.3.0] - August 1st, 2024
 
diff --git a/dictionary.json b/dictionary.json
index 7da6bf34e..282d89ba9 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -238,6 +238,17 @@
       "description": "The details of the group assigned to an Incident.",
       "type": "group"
     },
+    "assessment": {
+      "caption": "Assessment",
+      "description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate <code>os_signals</code> from CrowdStrike Falcon Zero Trust Assessments, or account for <code>Datastore</code> configurations from Cyera.",
+      "type": "assessment"
+    },
+    "assessments": {
+      "caption": "Assessments",
+      "description": "A list of <code>assessment</code> objects.",
+      "type": "assessment",
+      "is_array": true
+    },
     "attacks": {
       "caption": "MITRE ATT&CK® Details",
       "description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing identified tactics, techniques & sub-techniques.",
@@ -3349,6 +3360,11 @@
         }
       ]
     },
+    "meets_criteria": {
+      "caption": "Meets Criteria",
+      "description": "Determines if an assessment, control, policy, or otherwise meets its assessment criteria. See specific usage.",
+      "type": "boolean_t"
+    },
     "metadata": {
       "caption": "Metadata",
       "description": "The metadata associated with the event or a finding.",
diff --git a/events/discovery/cloud_resources_inventory_info.json b/events/discovery/cloud_resources_inventory_info.json
index b399be30f..8c1d38908 100644
--- a/events/discovery/cloud_resources_inventory_info.json
+++ b/events/discovery/cloud_resources_inventory_info.json
@@ -1,7 +1,7 @@
 {
   "uid": 23,
   "caption": "Cloud Resources Inventory Info",
-  "description": "Cloud Resources Inventory Info events report cloud asset inventory data that is either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
+  "description": "Cloud Resources Inventory Info events report cloud asset inventory data. This data can be either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
   "extends": "discovery",
   "name": "cloud_resources_inventory_info",
   "attributes": {
diff --git a/events/discovery/config_state.json b/events/discovery/config_state.json
index dd2d03273..e52a68d9d 100644
--- a/events/discovery/config_state.json
+++ b/events/discovery/config_state.json
@@ -1,7 +1,7 @@
 {
   "uid": 2,
   "caption": "Device Config State",
-  "description": "Device Config State events report device configuration data and CIS Benchmark results.",
+  "description": "Device Config State events report device configuration data, device assessments, and/or CIS Benchmark results.",
   "extends": "discovery",
   "name": "config_state",
   "attributes": {
@@ -10,6 +10,12 @@
       "requirement": "optional",
       "profile": null
     },
+    "assessments": {
+      "caption": "Related Assessments",
+      "description": "A list of assessments associated with the device.",
+      "group": "context",
+      "requirement": "optional"
+    },
     "cis_benchmark_result": {
       "group": "primary",
       "requirement": "recommended"
diff --git a/objects/assessment.json b/objects/assessment.json
new file mode 100644
index 000000000..1bd420f33
--- /dev/null
+++ b/objects/assessment.json
@@ -0,0 +1,33 @@
+{
+	"caption": "Assessment",
+	"description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate <code>os_signals</code> from CrowdStrike Falcon Zero Trust Assessments, or account for <code>Datastore</code> configurations from Cyera, or capture details of Microsoft Intune configuration policies.",
+	"extends": "_entity",
+	"name": "assessment",
+	"attributes": {
+		"category": {
+			"description": "The category that the assessment is part of. For example: <code>Prevention</code> or <code>Windows 10</code>.",
+			"requirement": "optional"
+		},
+		"desc": {
+			"description": "The description of the assessment criteria, or a description of the specific configuration or signal the assessment is targeting.",
+			"requirement": "recommended"
+		},
+		"meets_criteria": {
+			"description": "Determines whether the assessment against the specific configuration or signal meets the assessments criteria. For example, if the assessment checks if a <code>Datastore</code> is encrypted or not, having encryption would be evaluated as <code>true</code>.",
+			"requirement": "required"
+		},
+		"name": {
+			"description": "The name of the configuration or signal being assessed. For example: <code>Kernel Mode Code Integrity (KMCI)</code> or <code>publicAccessibilityState</code>.",
+			"requirement": "recommended"
+		},
+		"policy": {
+			"caption": "Assessment Policy",
+			"description": "The details of any policy associated with an assessment.",
+			"requirement": "optional"
+		},
+		"uid": {
+			"description": "The unique identifier of the configuration or signal being assessed. For example: the <code>signal_id</code>.",
+			"requirement": "optional"
+		}
+	}
+}
\ No newline at end of file
diff --git a/objects/compliance.json b/objects/compliance.json
index a2ebdcdd0..33e1acf41 100644
--- a/objects/compliance.json
+++ b/objects/compliance.json
@@ -4,6 +4,11 @@
   "extends": "object",
   "name": "compliance",
   "attributes": {
+    "assessments": {
+      "caption": "Related Assessments",
+      "description": "A list of assessments associated with the compliance requirements evaluation",
+      "requirement": "optional"
+    },
     "compliance_references": {
       "requirement": "optional"
     },
diff --git a/objects/policy.json b/objects/policy.json
index e259a20b6..48a9973a6 100644
--- a/objects/policy.json
+++ b/objects/policy.json
@@ -4,6 +4,10 @@
   "extends": "_entity",
   "name": "policy",
   "attributes": {
+    "data": {
+      "description": "Additional data about the policy such as the underlying JSON policy itself or other details.",
+      "requirement": "optional"
+    },
     "desc": {
       "description": "The description of the policy.",
       "requirement": "optional"